﻿<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Input</title>
<meta name="GENERATOR" content="WinCHM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style>
html,body { 
	/* Default Font */
	font-family: Courier New;
	font-size: 11pt;
}
</style>

</head>

<body>
<P class=rvps3><STRONG>Input</STRONG><BR>This program accepts 
various options of input:</P>
<P class=rvps3><U>commands</U>: 
Commands have the following format: "command[space]arg1,[optional 
space]arg2,argN".</P>
<P class=rvps3><U>variables</U>: 
Variables optionally start with a $ and can only store one DWORD (QWORD on 
x64).</P>
<P class=rvps3><U> registers</U>: All 
registers (of all sizes) can be used as variables.</P>
<P class=rvps3><U>memory locations</U>: You can read from a memory location by using one of the 
following expressions:<BR>[addr]&nbsp;&nbsp;&nbsp; - read a 
DWORD/QWORD, depending on the 
architecture.<BR><EM>n</EM>:[addr]&nbsp;&nbsp;- read <EM>n</EM>   bytes 
from.<BR><STRONG>REMARKS</STRONG>:<BR>- <EM>n</EM> is the amount of bytes to read, this can be anything 
smaller than 4 on x32 and smaller than 8 on x64 when specified, otherwise         
                 
            
               
            
 there will be an error.</P>
<P class=rvps3><U>flags</U>: Debug 
flags (interpreted as integer) can be used as input. Flags are prefixed with a 
'!' following the flag name. Valid flags are: !cf, !pf, !af, !zf, !sf, !tf, !if, 
!df, !of, !rf, !vm, !ac, !vif, !vip and !id.</P>
<P class=rvps3><U>numbers</U>: All 
numbers are interpreted as hex by default. If you want to be sure, you can use 
the "x" prefix or the "0x" prefix. Decimal numbers can be used by prefixing the 
number with a "." (.123=7B).</P>
<P class=rvps3><U>basic calculations</U>: See "Calculations" for more information.</P>
<P class=rvps3><U>Module Data</U>:</P>
<OL>
  <LI>
<DIV class=rvps3><U>DLL exports</U>:  
     Type 'GetProcAddress' and it will automatically be 
resolved to the actual address of the function. 
To explicitly define from which module to load the API, use: 
"[module].dll:[api]" or "[module]:[api]". In a similar way you can resolve ordinals, try "[module]:[ordinal]". Another 
macro allows you to get the loaded 
base of a module. When "[module]" is an empty string (":GetProcAddress" for example), the 
module that is currently selected in the CPU will be 
used.</DIV><U> </U>
  <LI><U>Loaded Module&nbsp;Bases</U>: 
  If you want to access the loaded module base, you can write: "[module]:0", 
  "[module]:base", "[module]:imagebase" or "[module]:header". 
  <LI><U>RVA/File Offset</U>: If you 
  want to access a module RVA you can either write "[module]:0+[rva]" or you can 
  write "[module]:$[rva]". If you want to convert a file offset to a VA you can 
  use "[module]:#[offset]". When "[module]" is an empty string (":0" for 
  example), the module that is currently selected in the CPU will be used. 
  <LI><U>Module Entry Points</U>: To 
  access a module entry point you can write "[module]:entry", "[module]:oep" or 
  "[module]:ep". Notice that when there are exports with the names "entry", 
  "oep" or "ep" the address of these will be returned 
  instead.<BR><BR><STRONG>Notice</STRONG>: Instead of the ':' delimiter you can 
  also use a '.' If you need to query module information such as 
  "[module]:imagebase" or "[module]":entry" you are advised to 
  use a '?' as delimiter instead ("[module]?entry"). The '?'&nbsp;does 
  checking for named exports later, so it will still work when there is an 
  export called "entry" in the module.</LI></OL>
<P class=rvps3><U>labels/symbols</U>: 
user-defined labels and symbols&nbsp;are a valid expressions.</P>
<P class=rvps3><STRONG>Input for arguments can always be done in any of 
the above forms, except if stated otherwise.</STRONG></P></body></HTML>